Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

CFS – Demystifying the Microsoft Extended File System (exFAT)

advertisement 
The Computer Forensics Show
Conference
April 19-20, 2010
New York, NY
Demystifying the Microsoft Extended
File System (exFAT)
Robert Shullich
CPP, CISSP, CISM, CISA, CGEIT, GSEC, GCFA
This information is provided for your review only and
is not
for any distribution.
Any reproduction,
The
Computer
Forensics
Show modification, distribution, transmission, display or
republication of the content is strictly prohibited
Agenda
•
•
•
•
•
•
•
•
Why a new file system
Forensics Relevance
Features
Advantages
Timelines
Support
Limits
Internals
The Computer Forensics Show
Why do we need a new file
system?
•
•
•
•
•
•
•
•
Current Limits Exhausted
Larger volumes (>2TB)
Larger files sizes (>4GB)
Faster I/O (300MB/s)
Removable Media
Flexibility
Extensibility
NTFS Features without the overhead
The Computer Forensics Show
Relevance to Forensics Study
• Digital Evidence Extraction
– Finding the evidence
– Including the hiding places
– Validation
• Daubert Expert Testimony
– Need to know and understand file org
• New Media (SD Cards) will drive exFAT
adoption, and the potential for CP
investigations.
The Computer Forensics Show
What happens when you have exFAT
formatted media and no exFAT
support?
The Computer Forensics Show
Forensics Challenges
• Linux OS Support
• Open Source Tools
• Commercial Tools
– Encase
– FTK
• Documentation
The Computer Forensics Show
Disclaimer
• The released specification and implementation is
Release 1.00 of exFAT
• The specification mentions additional features
that were not implemented yet, but may at a
future time/ Some of these are Windows CE
holdovers
• Both may be presented today
• Some directory entries will be skipped
The Computer Forensics Show
International System of Units (SI)
Table
• File System in
powers of 2
• Device
characteristics in
power of 10
Shorthand
Longhand
Nth
Bytes
KiB
Kibibyte
210
1024
MiB
Mebibyte
220
1024 KiB
GiB
Gibibyte
230
1024 MiB
TiB
Tebibyte
240
1024 GiB
PiB
Pebibyte
250
1024 TiB
EiB
Exbibyte
260
1024 PiB
ZiB
Zebibyte
270
1024 EiB
YiB
Yobibyte
280
1024 ZiB
The Computer Forensics Show
Features of exFAT 1.00
•
•
•
•
•
•
•
•
•
Sector sizes from 512 to 4096 bytes
Clusters sizes to 32MiB
Subdirectories to 256MiB
Built for speed, less overhead than NTFS but has some
of the NTFS features
UTC Timestamp Support
OEM Parameters Sector for device dependent
parameters
12 sector VBR, support of larger boot program
Potential capacity to 64ZiB
Up to 2,796,202 files per subdirectory
The Computer Forensics Show
Future Features of exFAT
• TexFAT (To be released later)
– Exists in Windows CE
– Transaction Safe exFAT
• ACL (To be released later)
– Exists in Windows CE
• Encryption Support?
– Not announced, but mentioned how easy to
add
The Computer Forensics Show
MBR Partition Limitations
• Microsoft File Systems are limited when
stored in a MBR partition
• A partition is defined by a Master Boot
Record
• A MBR uses a 4 byte value for number of
sectors
• To get the maximum volume size, exFAT
cannot be created within a partition
The Computer Forensics Show
Advantages of exFAT
• Handle growing capacities in media,
increasing capacity to >32 GB.
• > 1000 files in a single directory.
• Speeds up storage allocation processes.
• Breaks file size 4 GB barrier.
• Supports interoperability with future
desktop OSs.
• Provides an extensible format.
The Computer Forensics Show
Key Dates for exFAT
•
•
•
•
•
•
•
•
•
•
•
September 2006 – Windows CE 6.0
March 2008 – Windows Vista Service Pack 1
January 2009 – Announcement at CES of SDXC specification
January 2009 – Windows XP Drivers Available
May 2009 – Windows Vista Service Pack 2
August 2009 – Tuxera Signs File System IP Agreement with
Microsoft
March 2009 – Pretec Releases first SDXC Cards
December 2009 – Microsoft (re)announces exFAT license
program for third-parties
December 2009 – SDXC laptops due soon
December 2009 – Diskinternals releases exFAT recovery utility
December 2009 – Encase support
The Computer Forensics Show
More Key Dates for exFAT
•
•
•
•
•
•
December 2009 Sony, Canon & Sanyo License
January 2010 Funai License (LCD TV)
February 2010 Panasonic License
February 2010 Panasonic 64/48GB SDXC
February 2010 Sony Memory Stick XC
February 2010 Sandisk Ultra XC 64GB Card 3.0
Spec $350
The Computer Forensics Show
SD Card Association
•
•
•
•
New Memory Card
Consumer Appliances
Follows SDHC
Specification for 2TB
Capacity
The Computer Forensics Show
SDXC Storage Capabilities
•
•
•
•
From 32GB to 2TB on a card
Exclusively exFAT File System
300 MB/s I/O Transfer
Storage
– 4,000 RAW images
– 100 HD movies
– or 60 hours of HD recording
– 17,000 fine-grade photos
– in a single directory
The Computer Forensics Show
Support for exFAT
• Windows XP & Server 2003
– KB955704
• Vista & Server 2008 SP1
• Vista & Server 2008 SP2
– (Adds UTC timestamp support)
• Windows 7
The Computer Forensics Show
Reference Standards
• Bits are numbered right to left
– 76543210
•
•
•
•
•
Decimal Offsets
Little-Endian numbers
Unsigned numbers
Sectors vs. Clusters
Strings not Terminated
The Computer Forensics Show
File System Integrity
• Version Verified
• 3 Checksums
– VBR
– UP-Case Table
– File Set
• Critical Directory Entries
• Other Checks and Balances
• File System should NOT mount if failures
The Computer Forensics Show
exFAT Limits
• Volume size 128PiB
– MS said 64ZiB
– MS now says 256TiB
• File Size 16 EiB (64 bit number)
•
•
•
•
•
•
– Bigger than volume size
Subdirectory 256MiB
Sector 512-4096 bytes (29-212)
Cluster 32MiB (225)
No floppy support
No FAT32 minimum cluster restriction
No 8.3 file name support
The Computer Forensics Show
Data Hide Alert!
• FAT32 max cluster 32KiB
• exFAT max cluster 32MiB
• Potential for massive slack space
The Computer Forensics Show
Volume Space Layout
• The Main Boot Region
– Contains main VBR
• The Backup Boot Region
– Contains backup VBR
• The FAT Region
– Contains FAT Table(s)
• The Data Region (Cluster Heap)
– This is where data resides
The Computer Forensics Show
VBR – Volume Boot Record
• Contains 12 sectors
– 1 sector main boot sector
• Jump Code (3 bytes)
• BPB (BIOS Parameter Block)
• Boot Strap Code
–8
–1
–1
–1
sectors main extended boot sectors
sector OEM parms
sector reserved
sector VBR Checksum
The Computer Forensics Show
Boot Parameter Block (BPB)
•
•
•
•
•
•
•
•
•
•
OEM Label “EXFAT ”
Volume Length (64-bit) [sector]
FAT Location & Size [sector]
Heap Location & Size [sector, cluster]
Volume Serial Number
Location of Root Directory [cluster]
Volume Flags
Sector and Cluster Sizes [2-shift]
Percent in use
File System Revision (0x0010=1.00)
The Computer Forensics Show
Sectors & Clusters
• A 2-Shift is a power of 2
• Sector size and sectors per cluster
– Each stored in 1 byte
– Theoretical maximum is 2255
– Sector Size Maximum 212
– Sectors per cluster is derived
– Cluster Size Maximum is 225
The Computer Forensics Show
Executable Boot Code
• First 3 bytes of Main Boot Sector
– Jump Code
– 0xEB7690
• Offset 120 size 390
– Remainder of boot code
• Offset 510
– End signature marker
– 0xAA55 = “55AA”
• Offset 512
– Unused if defined
The Computer Forensics Show
More Bootable Code
• Up to 8 Main Extended Boot Sectors
– FAT32 had 3 sector VBR with 1 MEBS
– Entire sector can be used for boot code
– Last 8 bytes of sector is marker
– 0xAA550000 = “000055AA”
• Larger capacity for boot virus!
The Computer Forensics Show
VBR Checksum Sector
•
•
•
•
The 12th sector of the VBR
Repeating 4 byte checksum
Checksum of previous 11 sectors
Flags and Percent excluded
– These are volatile and change often
• Boot Sector Virus & Checksum
The Computer Forensics Show
VBR Checksum Sector
Offset
00000000
00000010
00000020
00000030
00000040
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
C9
C9
C9
C9
C9
D0
D0
D0
D0
D0
18
18
18
18
18
8B
8B
8B
8B
8B
C9
C9
C9
C9
C9
D0
D0
D0
D0
D0
18
18
18
18
18
8B
8B
8B
8B
8B
C9
C9
C9
C9
C9
D0
D0
D0
D0
D0
18
18
18
18
18
8B
8B
8B
8B
8B
C9
C9
C9
C9
C9
D0
D0
D0
D0
D0
18
18
18
18
18
8B
8B
8B
8B
8B
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
D0
D0
D0
D0
18
18
18
18
8B
8B
8B
8B
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
Lines 00000050 through 01BF repeated
000001C0
000001D0
000001E0
000001F0
C9
C9
C9
C9
D0
D0
D0
D0
18
18
18
18
8B
8B
8B
8B
C9
C9
C9
C9
D0
D0
D0
D0
18
18
18
18
8B
8B
8B
8B
C9
C9
C9
C9
D0
D0
D0
D0
18
18
18
18
8B
8B
8B
8B
C9
C9
C9
C9
The Computer Forensics Show
FAT – File Allocation Table
•
•
•
•
•
When it is used, same as legacy FAT
Not used when file contiguous
Never used for cluster allocation
FAT 32 has 32 bit cells, uses 28 bits
exFAT has 32 bit cells, uses 32 bits
•
•
•
•
Maximum clusters is 232-11
With TexFAT – 2 FAT Tables (2 Bitmaps)
Addressed by pointer in VBR
Size stored in VBR
– There is no 64 bit FAT
The Computer Forensics Show
Cell Values in FAT Table
•
•
•
•
•
0x00000000 – No significant meaning
0x00000001 – Not a valid cell value
0xFFFFFFF6 – Largest Value
0xFFFFFFF7 – Bad Block
0xFFFFFFF8 – Media Descriptor
– Fixed Disk
• 0xFFFFFFF9-0xFFFFFFFE – Not Defined
• 0xFFFFFFFF – End of File (EOF)
The Computer Forensics Show
FAT Table Example
Media
Allocation Bit Map
Reserved
UP-Case Table
Root Directory
Offset
0000
0010
0020
0040
0060
0080
00A0
00C0
00E0
0100
0
1
2
3
4
5
6
7
8
F8
FF
00
00
00
00
00
00
00
00
FF
FF
00
00
00
00
00
00
00
00
FF
FF
00
00
00
00
00
00
00
00
FF
FF
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
9 10 11 12 13 14 15
FF
00
00
00
00
00
00
00
00
00
The Computer Forensics Show
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
FF
00
00
00
00
00
00
00
00
00
Allocation Bitmap
• Keeps track of cluster allocation status
– Zero – Free Cluster
– One – Allocated Cluster
• 1 Byte = Tracking of 8 Clusters
• Bit Zero – Byte Zero = Cluster 2
– Cluster 0 & Cluster 1 are not defined
• Addressed by Directory Entry
• With TexFAT – 2 of these (FAT Pairing)
The Computer Forensics Show
Data Hide Alert!
• The Allocation Bitmap and the UP-Case
Table are stored as files, and provide
hiding space in the metadata
• These files are static, typically won’t
move, and have slack space.
• Nothing prevents someone from moving
these files elsewhere in the cluster heap,
and actually making them larger
The Computer Forensics Show
The Computer Forensics Show
Directories in exFAT
• Root (VBR Pointer)
– Contains certain critical entries
– Almost unlimited in size
• Subdirectory (by File Entry)
•
•
•
•
– Contains file sets
– 256MiB Max size
– No physical “.” or “..” entries
Uses 16 Bit Unicode for strings
Every Entry 32 bytes in size
Entry 0x00 is end of directory
Has capabilities for user entries
The Computer Forensics Show
Data Hide Alert!
• Manipulation of the Allocation Bitmap, and
creation of user directory entries provides
the capability of hiding a file system within
the file system
• It may also be possible to hide data within
the directory metadata itself
The Computer Forensics Show
Entry Type
Type Field
Offset (Bits) Size (Bits)
In Use
7
1
Category
6
1
Importance
5
1
Code
0
5
The Computer Forensics Show
Entry Type
• In Use:
0 – Not in Use, 1- In Use
• Category:
0 – Primary, 1 – Secondary
• Importance:
0 – Critical, 1 – Benign
• Code: Identifies the entry
The Computer Forensics Show
Volume Label Directory Entry
•
•
•
•
•
•
0x83 or 0x03 Entry
Primary Entry
Only resident in Root Directory
Contains the Volume Label
16 bit Unicode
0x03 means no volume label
The Computer Forensics Show
Volume Label Directory Entry
Offset
00000000
00000010
0
1
2
3
4
5
6
7
83 0A 65 00 78 00 46 00
32 00 38 00 4B 00 00 00
8
9
A
B
C
D
E
F
41 00 54 00 2D 00 31 00
00 00 00 00 00 00 00 00
ƒ.e.x.F.A.T.-.1.
2.8.K...........
Type
Volume Name Length (10)
Volume Label (exFAT-128K)
The Computer Forensics Show
Allocation Bitmap Directory
Entry
•
•
•
•
0x81 Entry
Primary Entry
Only resident in Root Directory
Points to the Allocation Bitmap
– If TexFAT, then 2 of these
– Flag bits says which FAT/Bitmap
• Cluster Address of Bitmap
• Size of Bitmap
The Computer Forensics Show
Allocation Bitmap Directory
Entry
Offset
0000
0010
Type
0
1
2
3
4
5
6
7
81 00 00 00 00 00 00 00
00 00 00 00 02 00 00 00
8
9
A
B
C
D
E
F
00 00 00 00 00 00 00 00
3F 00 00 00 00 00 00 00
Cluster Address (Cluster 2)
The Computer Forensics Show
Size (63 bytes)
UP-Case Table Directory Entry
•
•
•
•
•
•
0x82 Entry
Primary Entry
Only resident in Root Directory
File names are case insensitive
Used to fold file name
Table has a checksum (32 bits)
The Computer Forensics Show
UP-Case Table Directory Entry
Offset
0000
0010
Type
0
1
2
3
4
5
6
7
82 00 00 00 0D D3 19 E6
00 00 00 00 03 00 00 00
8
9
A
B
C
D
E
F
00 00 00 00 00 00 00 00
CC 16 00 00 00 00 00 00
Cluster Address (3)
Table Checksum
Length (0x16CC = 5,836)
The Computer Forensics Show
File Directory Entry Set
•
•
•
•
Used to define a file
May have 3 to 19 entries, or more
1 Primary, many Secondary
Is considered an array
– Must be in order
– Must be contiguous (no gaps)
• Entire Set has Checksum
The Computer Forensics Show
File Directory Entry
• 0x85 or 0x05 Entry
• Primary Entry
• Set Checksum (16 bits)
– Not modified on file delete
• Secondary Count
– # Secondary entries that follow
• File Attributes
• Timestamps
The Computer Forensics Show
Timestamps & Time Zones
• 3 Timestamps (MAC)
• 32 bit DOS Date/Time
– Local Machine Time
• 10ms Offset (MC)
• TZ Offset (MAC)
– 15 minute increments
– 7 bit signed number
– ±16 hours
– Present with UTC support
The Computer Forensics Show
Timestamp Accuracy
•
•
•
•
•
FAT32 – Last Access – Date only
exFAT – Last Access – Date/Time
All DOS DATE/TIME Double Seconds
10ms adds 0-1990 ms to time
10ms only for Create/Modify
The Computer Forensics Show
Timestamp Reliability
• Timestamps appear to be updated when
the file is created or modified.
• Last Accessed Timestamp appear to be
updated when file is created or modified.
• Last Accessed Timestamp appear NOT
modified on file read.
• Forensics Implication on MAC time
analysis
The Computer Forensics Show
File Attributes
Attribute
Reserved2
Archive
Directory
Reserved1
Offset
6
5
4
3
Size
10
1
1
1
Mask
System
Hidden
Read-Only
2
1
0
1
1
1
0x04
0x02
0x01
The Computer Forensics Show
0x20
0x10
File Directory Entry
Type
# Secondary Entries
Set Checksum (0x92D4)
Attributes (0x0020 = Archive)
Offset
0000
0010
0
1
2
3
4
5
6
7
85 04 D4 92 20 00 00 00
44 62 86 3B A8 00 EC EC
Accessed
8
9
A
B
C
D
E
F
44 62 86 3B F1 62 BA 3A
EC 00 00 00 00 00 00 00
Modified
Modified 10ms
Create 10ms
Create
TZ Offset CMA EC = GMT-5
The Computer Forensics Show
Formatted File Directory Entry
Root Entry Type Read is:
Checksum:
Calculated Checksum is:
Secondary Count
File Attributes:
Create Timestamp:
Last Modified Timestamp:
Last Accessed Timestamp:
10 ms Offset Create
10 ms Offset Modified
Time Zone Create
Time Zone Modified
Time Zone Last Accessed
85 Directory Entry Record
92D4
92D4 Size Directory Set (bytes): 160
004
0020 Archive
3B866244 12/06/2009 12:18:08
3ABA62F1 05/26/2009 12:23:34
3B866244 12/06/2009 12:18:08
A8 168
00
0
EC 236 Value of tz is: GMT -05:00
EC 236 Value of tz is: GMT -05:00
EC 236 Value of tz is: GMT -05:00
The Computer Forensics Show
Stream Extension Directory
Entry
•
•
•
•
•
•
•
0xC0 or 0x40 Entry
Secondary Entry
Length of Name
Length of File (2 of them)
Cluster address of first data block
Name Search Hash value
Secondary Flag
– FAT Invalid
– Allocation Possible
The Computer Forensics Show
Stream Extension Directory
Entry
Flags (Alloc Possible/Fat Invalid)
Entry
Length of File Name (0x28= 40)
Name Hash (0x3CAD)
Offset
0000
0010
0
1
2
3
4
5
6
7
C0 03 00 28 AD 3C 00 00
00 00 00 00 05 00 00 00
8
9
A
B
C
D
E
F
1F 46 1D 01 00 00 00 00
1F 46 1D 01 00 00 00 00
Cluster (5)
Data Length 0x011d461f = 18,695,711
The Computer Forensics Show
Parameters for Samples
Bytes Per Sector: 2 to the 09 power is: 512
Sectors Per Cluster: 2 to the 08 power is: 256
Bytes per Cluster: 131072 (128K)
The Computer Forensics Show
Formatted Stream Extension
Root Entry Type Read is: C0 Directory Entry Record,
Stream Extension
Secondary Flags: 03
Flag Bit 0: Allocation Possible
Flag Bit 1: FAT Chain Invalid
Length of UniCode Filename is: 40
Name Hash Value is:
AD3C
Stream Extension First Cluster
5
Cluster
5 is Allocated
Stream Extension Data Length
18695711 Bytes
Slack:
83487 Clusters Used:
143
Stream Extension Valid Data Length
18695711 Bytes
Slack:
83487 Clusters Used:
143
The Computer Forensics Show
File Name Extension Directory
Entry
• 0xC1 or 0x41 Entry
• Secondary Entry
• Secondary Flags
– Allocation not possible
– FAT Invalid
•
•
•
•
15 Characters (30 bytes) of Name
Name in 16 Bit Unicode
In order (FAT32 LFN was reversed)
Up to 17 max, total 255 character
The Computer Forensics Show
File Name Extension Directory
Entry
Offset
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0000
C1 00 62 00 75 00 73 00
Á.b.u.s.i.n.e.s.
0010
73 00 5F 00 6F 00 66 00
s._.o.f._.s.e.c.
69 00 6E 00 65 00 73 00
0000
C1 00 75 00 72 00 69 00
Á.u.r.i.t.y._._.
0010
62 00 75 00 73 00 2D 00
b.u.s.-.1.0.5.-.
74 00 79 00 5F 00 5F 00
0000
C1 00 33 00 32 00 6B 00
Á.3.2.k.b.p.s...
0010
6D 00 70 00 33 00 00 00
m.p.3...........
62 00 70 00 73 00 2E 00
5F 00 73 00 65 00 63 00
31 00 30 00 35 00 2D 00
00 00 00 00 00 00 00 00
File Name = business_of_security__bus-105-32kbps.mp3
The Computer Forensics Show
Significance of “not in use” flag
• 0x05, 0x40 & 0x41 Entries
– “Not in use” may mean deleted files
– May also be reallocated rename
• Set Checksum not changed when entries
marked “not in use”
The Computer Forensics Show
Summary
• exFAT is a new generation of the FAT
family of Microsoft File Systems
• The need for forensics tools will heat up in
2010
• We don’t have the right tools yet
• Documentation and support for exFAT is
scarce
The Computer Forensics Show
Q&A
The Computer Forensics Show
Contact Information
• E-mail: rshullic@earthlink.net
• Blog: rshullic.wordpress.com
• Blog: shullich.blogspot.com
The Computer Forensics Show
References
Sans Reading Room:
http://www.sans.org/reading_room/whitepapers/fo
rensics/rss/reverse_engineering_the_microsoft_e
xfat_file_system_33274
Microsoft Patent:
Microsoft Patent 0164440 (June 25, 2009). Quick
Filename Lookup Using Name Hash.
Pub No. US 2009/0164440 A1 Retrieved December
10, 2009 from
http://www.pat2pdf.org/patents/pat20090164440.
pdf
The Computer Forensics Show
Related documents
Digital Forensics and Cyber Psychology
Digital Forensics and Cyber Psychology
Information Systems and Internet Security (ISIS) Lab Some Recent
Information Systems and Internet Security (ISIS) Lab Some Recent
cfintro
cfintro
Taib investigation CC#98
Taib investigation CC#98
PPT Presentation - Projects at Harvard
PPT Presentation - Projects at Harvard
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
IRP 4 Forensics
IRP 4 Forensics
Expert Insights, Computer Forensics
Expert Insights, Computer Forensics
Chapter 13: Advanced Security and Beyond
Chapter 13: Advanced Security and Beyond
MadliKajuSlides
MadliKajuSlides
Download
advertisement